Privacy Advisor

Workplace Monitoring Present and Future

September 1, 2008

By Matthew Barach

A Big Brother type software application from Microsoft might be the next wave of employee monitoring in the American workplace. Microsoft has filed patent application number 20070300174 in the United States for a "unique monitoring system," which is capable of tracking an employee's productivity, physical state and stress level. According to the patent application, the detection component would monitor, "heart rate…skin response…EMG, brain signals, respiration rate, body temperature, facial movements, facial expressions and blood pressure."  The monitoring could be conducted on a desktop computer, laptop, cell phone, pocket phone and even an employee's PDA. The device would link workers to their computers' via wireless sensors.

Traditionally, "accepted forms of employment monitoring have been in the Internet, email and telephone monitoring," points out Jacqueline Klosek, a privacy attorney at Goodwin Proctor LLP and author of the recently published War on Privacy. She adds that additional employee type monitoring technologies have been "related to employment movements such as GPS technology. This is a new realm."

The practical applications of this system might provide employers with the ability to identify user strengths and weaknesses, and it will also allow monitors to provide employees with various forms of workplace assistance. Assistance could be Web- or human-based.

"This particular patent application, in general, describes an innovation aimed at improving activity monitoring systems," stated Horacio Gutierrez, vice president of intellectual property and licensing at Microsoft, "and uses the monitoring of user' heart rates as an example of the kind of physical state that could be monitored to detect when users need assistance with their activities, and to offer assistance by putting them in touch with other users who may be able to help."

The legal record of the workplace privacy battle between employers and their employees is akin to the Harlem Globetrotters versus the Washington Generals, with employees playing the hapless role of the Generals. American courts have consistently ruled that employees have no or little right to privacy in the workplace. Courts have attempted to balance an employee's reasonable expectation of privacy with the business use for such intrusion. The business purpose for employee monitoring has usually outweighed the employee's expectation of privacy.

"Employers do have a fair amount of latitude in monitoring data," said Philip Gordon, head of the Privacy & Data Protection Practice Group at Littler Mendelson. "Under the Federal Wiretap Act employers can't monitor unless they get consent for telephone calls, but employers run into more substantial barriers when they move from monitoring thoughts over computer networks as expressed in communications over employers resources, versus employees' bodily functions; that's the distinction."

In one stark illustration of a company's ability to monitor their employees, a federal court found no "reasonable expectation of privacy in email communications voluntarily made by an employee to his supervisor over the company email system notwithstanding any assurances that such communications would not be intercepted by management" in the case of Smythe v. Pillsbury.

In cases such as McLaren v. Microsoft Corporation, courts have justified employee monitoring in the Internet field based on property rights of employers over their equipment, and the understanding that the workplace is not in the private domain. Courts have also upheld employee monitoring over liability concerns, such as inappropriate behavior by employees in the workplace, as with Garrity v. John Hancock Mutual Life Insurance Company.

Additionally, state and federal laws have offered few restrictions on employee monitoring. The Electronic Communications Privacy Act of 1986, which extends the Federal Wiretap Act to prohibit unauthorized interception of electronic communication, is not usually relevant in the work sphere, as companies monitor emails through the retrieval of stored communication rather than interception. Also, the Electronic Communications Act provides exceptions for provider authorization and user consent. Only two states, Connecticut and Delaware, have passed laws requiring notice to employees prior to workplace monitoring of email communications.

As a result of the legal context and the growth in technology, monitoring remains a staple in the modern workplace. According to a February 2006 fact sheet by the Privacy Rights Clearinghouse, "Recent surveys have found that a majority of employers monitor their employees. (T)hree-fourths of employers monitor their employees' Web site visits… 65% use software to block connections to Web sites deemed off-limits for employees. About a third track keystrokes and time spent at the keyboard. Just over half of employers review and retain electronic mail messages."

The growing presence of biometric technology is also changing the American workplace. Biometric technology can identify an individual based on unique physiological or behavioral characteristics. The common biometric example is a fingerprint, but other technologies include iris and retinal scans and facial recognition. According to a whitepaper presented by the Security Industry Association, biometrics are being used so, "employers can control who has access to what equipment, prevent fraudulent time and attendance entries and protect their assets from theft."

Interestingly, because of biometric technologies' association with security, employees seem willing to accept these new systems. According to a recent Harris Interactive survey, "four out of five employees and managers said they would be willing to have an ID card issued by their employer that would contain their photo, basic personnel information and a biometric identifier, such as a fingerprint."

But there might be limitations on what employees will ultimately accept from their employers, even in the biometric arena. Take mandatory microchipping, the practice of installing a microchip under the skin. Gordon writes that, "According to a 2007 study conducted jointly by Littler Mendelson and the Ponemon Institute, more than 90% of respondents, regardless of age, responded that mandatory microchipping by their employer would constitute a privacy violation." In fact, a number of states have outright banned the practice.

But future workplace monitoring techniques, such as those being developed by Microsoft, and the others that are sure to follow, might be beyond what courts, legislatures and employees have faced in the recent past. "This is an additional level of monitoring. You could draw conclusions that may or may not be correct," said Klosek.

As Attorney Gordon states, "There is an issue under the American Disabilities Act of requiring employees from undergoing medical exams. This type of monitoring could be considered a medical exam because it would reveal health-related concerns."

The question for courts and privacy advisors will continue to be how to best balance the ability to monitor employees versus employees' rights.

"The balance is the comfortable work environment for associates, you don't want the monitoring to hurt their productivity," said Zoe Strickland, vice president and chief privacy officer for Wal-Mart Stores, Inc. "It is a hard line to draw because it's new. Employers will need to balance productivity versus oversight."

Best practices will be to explain fully and clearly the policy and its rational as well as obtaining an associates' consent. "Number one best practice is to put in place a policy to make very clear what the rules are," stated Gordon.

If courts and legislatures have been the guide in the past, then employers will continue to have great latitude in controlling the workplace. Innovative forms of technology will likely play an even greater role in monitoring employees in the American workplace. However, although American courts and governments may not place many limits on privacy in the workplace, practical business decisions will likely still rule the day.

"The market plays a strong role in controlling privacy," said Klosek.

Privacy advocates will be forced to examine closely the rationale of high-tech forms of future monitoring for their organizations. Highly intrusive forms such as videotaping employees' lavatories and inserting microchips in employees will likely remain out of bounds, but monitoring for security and efficiency, particularly with consent, is likely to be the future of the American workplace. Privacy advisors will need to work closely with security leaders, IT departments and legal counsel to safely implement emerging workplace monitoring technologies.

"The privacy officer should engage in this area," added Strickland. "The question is, should we do it and, if we do, what should happen? Difficult decisions will need to be made as to when it's important to monitor."

As the future of workplace monitoring evolves along with technology, significant developments are sure to come to pass.

"Some of our patent applications reflect inventions that are currently present in our products and other applications. This particular application does not relate to any of Microsoft's current product plans," said Gutierrez.

Matthew Barach, CIPP/G, is an attorney and senior privacy consultant at Boston Privacy Group, and a member of the IAPP. He can be reached at mpbesq@comcast.net.